Field
Embodiments of the present disclosure generally relate to detection and mitigation of Distributed Denial-of-Service (DDoS) attacks. More particularly, embodiments of the present disclosure relate to systems and methods for efficiently detecting and mitigating zero-day DDoS attacks against network applications in near real-time.
Description of the Related Art
One of the major threats of the Internet today is Denial-of-Service (DoS) attacks and, in particular, distributed Denial-of-Service (DDoS) attacks. A DoS attack is typically an attack made in order to render a computer system/machine or a network resource unavailable to a legitimate user, thereby intending to cause loss of service or network connectivity to legitimate users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. Most common DoS attacks aim at exhausting computational resources, such as connection bandwidth, memory space, or CPU time, for example, by flooding a target network node/resource with valid or invalid requests and/or messages. They can also cause disruption of network components or disruption of configuration information, such as routing information, or can aim at disabling an application making it unusable. In particular, network components, such as servers, proxies, gateways, routers, switches, hubs, etc., may be disrupted by malicious software attacks, for example, by exploiting buffer overflows or vulnerabilities of the underlying operating system or firmware.
DDoS attacks involve two or more people/bots. A DDoS attack is basically a DoS attack that, instead of using a single computer as a base of attack, uses multiple compromised computers simultaneously, possibly a large or a very large number of them (e.g., millions), thus amplifying the effect. Altogether, they flood the network with an overwhelming number of packets, which exhaust the network or application resources. In particular, the packets may be targeting one particular network node, for example a router, a switch, a gateway, or application servers, causing it to crash, reboot, or exhaust its computational resources. The compromised computers, which are also often called as zombies, are typically infected by malicious software (e.g., a worm, a virus, or a trojan) in a preliminary stage of the attack, which involves scanning a large number of computers and searching for those having one or more particular vulnerabilities. The DDoS attack itself is then launched at a later time, either automatically or by a direct action of the attacker.
Various DoS attacks such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time. Other kinds of DoS attacks rely primarily on brute force, flooding the target with an overwhelming flux of packets, over saturating its connection bandwidth or depleting the target's system resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth available than the victim. A common way of achieving this today is via a DDoS attack employing a botnet. Other floods may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs.
As described above, these DDoS attacks have become a favorite tool of hackers for targeting a web service or a network resource. By bombarding a server with traffic, they can make it impossible for legitimate users to secure a connection—effectively taking a site offline.
Traditionally, DDoS attacks are carried out at the network layer such as through Internet Control Message Protocol (ICMP) flooding, Transmission Control Protocol (TCP) SYN flooding, and/or User Datagram Protocol (UDP) flooding. The intent of these attacks is to consume the network bandwidth and deny service to legitimate users of the targeted systems. Since many studies have noticed this type of attack and have proposed different schemes (e.g., network activity measurement and/or anomaly detection) to protect the network and equipment from bandwidth attacks, it is not as easy as in the past for attackers to launch the DDoS attacks based on network layer. When the network layer DDoS attacks fail, attackers shift their offensive strategies to a more sophisticated application layer DDoS attacks.
In recent times, attackers have been targeting application layer services, such as Session Initiation Protocol (SIP), Hypertext Transport Protocol (HTTP), Simple Mail Transport Protocol (SMTP), Domain Name System (DNS) and the like, with DDoS attacks, which are now also being applied to voice communications, as hackers have started to harness massive Voice over Internet Protocol (VoIP) networks to flood phone networks and prevent genuine emergency calls from getting through. In another instance, attackers run a massive number of queries through the victim's search engine or database query to bring the target server down. The application level DDoS attacks may focus on exhausting server resources, such as sockets, CPU, memory, disk/database bandwidth, and I/O bandwidth. The growing frequency of these attacks has highlighted security issues with VoIP services, as hackers can quickly generate new numbers faster than traditional firewalls can block them, while VoIP also offers criminals a measure of anonymity as they are often hard to trace.
In the prior art solutions, attempts have been made to detect DDoS attacks from three different layers, namely the IP layer, TCP layer, and the application layer. Attempts have been made to distinguish traffic from legitimate users from that of potential DDoS attacks. Various statistical analysis based solutions have been proposed for detecting and preventing DDoS attacks at the physical layer to application level services. Existing anomaly detection techniques can typically be classified into two categories: rule-based techniques, and statistic-based or statistical techniques. Rule-based techniques describe normal behavior in terms of certain static rules or certain logic and can essentially be stateless or stateful. In particular, such rules can be derived from protocol specifications. On the other hand, statistical anomaly detection techniques describe normal behavior in terms of probability distributions of certain variables, called statistics, depending on the chosen data features or parameters.
These methods, used to detect application level DDoS attacks, typically employ rate-limiting (e.g., don't let a client make more than 3 calls every X seconds) as the primary defense mechanism against DDoS attacks. However, existing DDoS protection measures lack the sophistication to deal with a scenario in which several legitimate users suddenly make requests for a particular service. For example, during a sports event, several legitimate users may use a web service to check the scores, but a typical rate-limiting defense mechanism may mistakenly prevent the legitimate users from accessing the service as it is not easy for current techniques to distinguish requests from legitimate users from malicious users or bots merely by statistical characteristics of the traffic. Therefore, state of the art statistical methods and rate limiting techniques can easily confuse a high volume of requests by legitimate users with a DDoS attack and mistakenly prevent legitimate users from assessing the service.
Other existing defense methods described in the prior art for protection against DDoS attacks are based on man-machine interaction, e.g., puzzles, passwords, and the CAPTCHAs. However, these schemes are not effective/popular for DDoS attack detection because they may annoy users and introduce additional service delays.
There is therefore need for systems and methods that are able to, with a high degree of confidence, and in near real-time, identify and block the bots while letting legitimate users continue with uninterrupted access to the network applications, during an application layer DDoS attack, such as an attack against a SIP server, a proxy server, an HTTP server, a DNS, or any other desired/appropriate application.